On today's episode we are going to continue our conversation about securing our WordPress websites. But this time it's going to have a little more advanced fixes right here on Your Website Engineer Podcast, Episode No. 279.

Hello everybody. Welcome back to another episode of Your Website Engineer Podcast. My name is Dustin Hartzler, and today we're going to continue our discussion, like I said in the opening, and we're just going to keep diving in. This is going to be kind of the spring cleaning episode. In a few years past, I've talked about things to remove or things that we need to do to kind of make sure that we're ready for springtime and things like that. But this time around, this spring, we're going to talk about how to make our sites more secure. Not that they're outdated or WordPress is becoming less secure or things like that, these are all things that we should be doing on a regular basis anyways for every WordPress website that we have.

So we're going to dive into that. First off, I want to let you know about the announcements. We are less than a week away from the schedule to plan release of WordPress 4.5. It feels like I've been talking about the beta releases and the releases for weeks and weeks and weeks, but we're finally on that home stretch. By the time the next podcast comes out, episode-wise, fingers crossed, the new version of WordPress will be out. So the thing is to prepare for that, what I always like to do is like to have a full backup. I mean a complete backup, including WordPress, in case something goes wrong, something doesn't work right with your theme or something like that. Make sure you have a full backup. Make sure that you're updated to all of the latest and greatest of plug-ins. Make sure that you're running the latest software in that sense.

Then I also like to run a development version and make sure that the release candidate version that's out there actually works well. There was a few revisions ago, and this was probably like ten revisions ago – I want to say WordPress 3.3, 3.6 or something – when it came out, it did different with java script and J-Query, and it made a lot of the themes that I had purchased for clients or was using for clients, it broke them. So it ended up that this was something that – I mean I updated one site, and it completely broke it. But I had this backup and I was able to quickly restore to an older version of WordPress before I could troubleshoot and figure out what was going on, why transitions didn't work and all that good stuff.

So that's something, if you're really interested in making sure your site works. If you've got a pretty basic site and you don't have a lot of fancy stuff going on, then you're probably okay with this newest version of WordPress. But just kind of get ready. That's what I wanted to share this week, in terms of announcements. There are not a lot of announcements when it comes to this week, just because everything's prepping, getting ready for this new version of WordPress. And in a couple of weeks, we'll know exactly what's in there, how it works, and some of the new features and things that we can really take advantage of when it comes to building our WordPress website. Another thing that I want to share with you this week is a new plug-in that I found on the WordPress repository.

This one is called Page Animations in Transitions, and this is a plug-in that allows you to add transitional effects to your WordPress site so you can show your page with stylish transitions. So that means that images or things will actually appear as you scroll or as they become visible on a screen. So for example, you may have seen some themes out there – I know I've seen some that are really cool, that maybe have stats, and it says, "We have 15 people on our team." It's like a little circle that kind of animates and fills as it goes all the way around. That's what I'm talking about. You can animate so that things come into the page or they zoom out of the page. They can fade down from the top. They can fade left. They can flip. They can zoom. And this adds all the functionality, all the code behind making it happen, and then all you have to do is just easily implement it with a short code, and it just works. It's kind of cool.

So this is a cool way. This is actually one of the plug-ins that I played with when I tried to figure out how does this animation stuff work? And it's just all about getting the right methods and libraries and everything called properly. So then you can animate some of the stuff on your website. There's some really cool websites that are out there. I'll see if I can find any and put them in the show notes, that have some really neat animation, so you can see them. And if you're interested in any way, shape or form of this plug-in, it's in the WordPress repository under Page Animations and Transitions, and it's also in the show notes for Episode No. 279.

Alright, today we're going to move on to the advanced fixes. I'm calling these advanced, and the next episode will be called the pro fixes. These are still – they're only called advanced because they're a little bit more challenging to do than last week's, but they're not – they can all be done from a browser, which is really, really nice. So you don't have to SSH into your server or do anything like that. So these can all be done through either WordPress itself or your control panel within your hosting platform. So this is the second of the two-part series, and then of course next week will be Part 3. So the first tip is, the first thing that I want to share is use a security plug-in. And security plug-ins do exactly what the name implies. They help to keep your site secure in several different methods.

I've got three plug-ins that you could use for this. The first one is called iTheme Security, and this will help make your site more secure by walking you through a checklist of things that you need to do to make your site different than a default installation of WordPress. So the default versions of WordPress, they have the same database prefix. They sometimes use admin as the user I.D. or the username. There's a bunch of stuff. And there's probably 25 or 30 different things that you can go in, and it will tell you that you're showing your headers, so people know exactly what version of WordPress you're using. And you can say, "Oh, fix this," and it goes ahead and it just automatically fixes it for you, which is really, really nice.

So it basically – iTheme Security, I like to say it as it's a way that you can install this right away. I like to install it first when I'm building a website. You install it. You can do all the settings and configuration, and if you want to, you can actually remove this plug-in. But I like to keep it running. It's got some other things that it can do. It can log out or it can limit how many times people log in to your site. So if they've tried three or four times and they don't get in, then you want to lock them out and they can't log in again for 15 minutes or whatever that looks like. So that's one of the plug-ins I recommend for this. Another security plug-in that is really powerful is called Wordfence Security. It has some of the same functionality as iTheme Security, but the feature that stands out the most for this plug-in is it actually compares your sites, both the core files, the plug-in files and your theme files, if the theme came from wordpress.org.

It will compare those with the repository's code and make sure that no malware has been injected into your website. I think this is really neat because it kind of monitors your website and makes sure that there is no changes made to things. So even if you were to change some theme files or do some things like that, you'll get an email notification or there'll be a notice in your dashboard saying, "Hey, are you okay? Do you know that this has changed on your website?" So that's something to really think about if you're looking for that type of functionality. And the next one is called Vault Press, and this one's not technically a security plug-in, but it has file monitoring. It kind of does the same thing as Wordfence Security, and will actually notify you via email if you have something – if there's some sort of – not necessarily malware, or if it looks like some sort of malicious code or anything like that, that will all come to you via an email, which is really, really nice.

So Vault Press is also kind of like a 2 for 1 plug-in, so you could use that for backing up your website and it can provide you notice and notifications that something is going wrong or some code has been modified on your website. So those are the three plug-ins when it comes to security plug-ins. Another plug-in, or the next step or the next thing that we need to do, is we need to protect against brute force attacks. These are kind of tricky to protect against. There's basically two types of attacks out there. There's one that they're looking for, that hackers are looking for, some sort of vulnerability in your system, whether that be you're running outdated versions of something or WordPress has a hole in it, or whatever that is. That's one way.

And the other way that people try to get into your site is called a brute force attack, and the hacker simply tries to guess passwords multiple times until successful, which usually it means millions of times in a row, which can actually take down your server because it's using so many resources to try to log in that many times. Again, it's all automated, it's not – like somebody's not sitting at their computer trying different passwords. They're just randomly trying – it's a computer sending password after password after password. So the best way to protect yourself from brute force attacks is called – it was called Brute Protect, but now it is built into Jet Pack, and it is called Jet Pack protect. You basically turn it on, and it goes ahead and kind of works, and it does what it needs to. Then it will tell you how many log-ins have been blocked, how many brute force attacks have been thwarted because you are using Jet Pack Protect, which is really, really nice.

So that's how to protect yourself against brute force attacks. I know there's a few hosting companies that actually put a little pop-up window before you can get to your WordPress site. I know that Green Gates, when I was hosting there, they had this every once in a while to protect from a brute force attack, and it basically – the username and the password was right in the little notification box. But apparently, brute force attackers couldn't see that when they were trying to get into your site, so they wouldn't be able to get into that level of your – actually get into the WordPress dashboard page. Another thing you can do against this brute force attacks, is you can actually rename your login page. So with Jet Pack, or with iTheme Security plug-in, you can actually say, instead of going to wpe.login.php, you can call that like Dustin login is really hard to get to.

That could be the extension to your URL. So it could be really more – it would make it more difficult for a brute forcer to actually find the login page. So if they can't find the login page, then they're definitely not going to be able to submit password after password. So that is Step No. 2 or thing No. 2 that we can do to protect our websites. The next one is pretty simple. This one is delete unused plug-ins. We want to make sure that our site is secure with updated plug-ins, but if we're not using one, and maybe we've installed it for testing purposes, maybe we're trying it out to see if that's the plug-in that's going to work perfectly for us, you know, whatever the case may be. If it is deleted, or if it's deactivated in your dashboard, you just might as well remove it. There's no need to keep it around.

If you ever need it again, you can always add it back. Adding plug-ins back from the WordPress repository is super easy, and you definitely want to do this. You also want to do this with your themes. Get rid of those themes, and I know that a lot of times we need to troubleshoot things with the 2013, 2014, 2015 themes, and it's again, the same thing. If you need to troubleshoot something with one of those themes, you can easily download it right from your WordPress dashboard, do your testing, and then remove it. It's just one more thing that you have to keep updated, and it just – plug-ins update so regularly that if they're outdated, we don't want to have to be – spend all of our time just keeping our plug-ins updated. We want to actually work on our websites and make them much, much better.

So that is Step No. 3. Step No. 4 is reduce the number of plug-ins. This is something that – don't be going out there and trying to remove what your website can do. That's not what the point is here. But if there is an application or a plug-in that will work for multiple things, kind of like the Vault Press one was earlier, we were talking about it can do a backup and it can do some sort of protection and notification of when something may be different on your server, then that is a perfect example of a plug-in. Also Jet Pack is a great one. It's got 30-plus modules that are built it. So if you are using the very basic features of social media buttons and you want related posts, you know, you could use Jet Pack and get like a 2 for 1 bargain, and then that's less plug-ins to update and less opportunities for an attacker to get in.

Alright, the next one is use two factor authentication for logging in to your website. And two factor authentication is a combined way to provide some sort of login credentials, which means you basically have to provide two pieces of information. It's something that you know and something that you have. So for example, it's like something that you know would be a password, and then something you have is like your phone or your iPad or another device that could be pushed some sort of security code. With Apple, when you do a two factor authentication, it will send you a – it will say, okay, I'm going to send a four-digit code to which device, and then it will automatically pop up on your phone or your tablet or whatever.

With some of the other ones like Google, they have what's called a two factor authentication code, and there's different programs and different apps to do this. And it gives you the ability that you open it up, it generates a random six-digit number, and then from there, you type that in as the second piece of your login, if you're logging in to Gmail, if you've got two factor authentication turned on. So that's really cool. It makes it difficult for somebody that doesn't have your phone or doesn't have your second device, to be able to log in to your website. It is kind of annoying when you want to try to log in, and you have to find that other device, but I use a program called Authie. It works really well. It syncs via the app, so it gives the ability to – so I could use my iPad, I can use my phone, and I can also use my Apple watch to generate code.

So a lot of times – I mean I always have my watch on, and so if I'm trying to log in to something, I can pull up the numbers real quick and then type them in. And there's another cool one out there called – it's called Cleft, and it actually uses your camera on your phone. And that's, I think, multi-platform. So when you install Cleft, it turns on and then it's a barcode that you actually just pick up your phone – you can do on my iPhone six – you can actually use the touch I.D. to unlock it. You can use the touch I.D. to unlock Cleft, and then that will automatically take a picture of your screen and auto log you in, which is pretty cool. So it makes that barrier to entry to get into your website just that much more difficult.

The next one is called using Cloudflare. It's kind of a mystery of how it works. I don't know exactly how it works, but I've heard a lot of people recommend using Cloudflare. A lot of the most popular, or the most useful things that Cloudflare can do are free. So basically, in a nutshell, how Cloudflare works, is it routs all traffic coming to your site through a network of servers, and those servers let only genuine people in who read your content, and bounce anyone that looks suspicious. So they've kind of got their own network list of people who are spammy type, and they won't let those people actually visit your site. So I think that is pretty cool. So use Cloudflare is the next one.

That was that one. The next one is monitor for malware. This is something that you can also do. We talked a little bit about this when it comes to securing your site. But basically malware is a term that Wikipedia defines as various forms of intrusive software, including malicious web scripts, and this is the stuff that can attack our WordPress site. I hate malware. It's a big pain. It's a reason we have to do all this stuff, because there's a lot of – you know, people that are trying to jam in extra links on your website. They're trying to do a lot of different things. So you want to monitor. You can use a couple of different services if you like. But again, the Vault Press plug-in can do this, and the Wordfence plug-in can kind of monitor for malware as well. They're looking for things that are kind of injected or are kind of hidden inside your code, and they're not supposed to be there, and they can find what that is and let you know about it.

Let's see. We're getting close here to the end. We've got three more. The next one is called a block of ping backs and track backs, and this is just an interesting way that other computers, when they link to your website, they can actually get more information about your website. So it's something that you may want to think about disabling. Ping backs and track backs, those are those little notifications that show up kind of in the comments section that section that says, "Such and such linked a comment to this post," or whatever. So that is something you want to think about as well.

The ninth one is called disable XML-RPC, and this is an older technology that WordPress really used a lot back in the day. This was something that, if you wanted to email your posts, so maybe you're emailing it, you could email it to your website. There's a few other technologies that can use the XML-RPC, but basically, if you're not using it for any reason, you can go ahead and disable it. If you're not using it at all, you can disable it within WordPress, but you could also delete – it's an XML-RPC.php file. You can just go ahead and remove that, and you're not going to lose any functionality when it comes to WordPress. You just won't be able to use that technology for anything. With the way that WordPress api and everything is coming out here in the future, then we definitely probably don't need to be using XML-RPC.

Then the last one is using a plug-in called Theme Check. I think it's just called Theme Check. And what this is, is this is usually pretty good for when you first install a site, but then this is also really good for, after you're using a website for a while, it's really kind of neat. It goes in and it looks for any static links to anything. So that's kind of, when you build a WordPress theme, you never want to put a static link to anything because you never know what director this theme may be in and how people are going to use it and whatnot. So they're all relative links. So it looks for static links. It makes sure that it will pull out anything if it's linked to any online shopping bags or any pharmaceutical drugs or anything like that.

It will notify you and you can then pull that information out of your theme. Or you can just say, "Hey, somebody's not being very trustworthy with this theme. I'm not going to use this one." So that's something you can do, especially if you find a theme that's not in – WordPress repository ones are absolutely fine, but if you find other free themes, or themes that are kind of questionable about the people, the developers that may have created it, this is a perfect test to run, to go through and see what that looks like and see if there's any static content inside your website. So that's it. Those are the ten. Let me run through real, real quick one more time.

The first one is, it is using a security plug-in, and that's something like iTheme Security, Wordfence Security, Vault Press. We want to protect against brute force attacks using Jet Pack Protect. We want to delete any unused plug-ins. We want to reduce the number of plug-ins that we're using. We want to log in to our websites with two-factor authentication. We want to use Cloudflare to make sure that only legit people are coming to our website. We want to monitor for malware and make sure that there's no code that's being jammed into our website or actually comes into our website from something else that we download. We want to block ping backs and track backs. We want to disable XML-RPC. And we want to check our themes before using them. So those are the ten more advanced things.

Again, we're all still within the WordPress dashboard, and we're not really – there's still more to come. There's still more things that we can do, starting next week, that we can continue to amp up our game and make sure it's really difficult for hackers to get into our website. So those are the things that I want to share. Remember that, as I find the music here, remember that WordPress 4.5 is coming out, and you want to get your site ready. You maybe want to try a test run. So don't forget about that. And also I'm going to be sharing really, really soon about the course that I took on how to get more email subscribers. It's kind of a WordPress related topic, and it's kind of not. So I'm going to be sharing some of that in email newsletter form, and also a little bit here on the podcast.

So those are the things that I'm talking about this week. I will see you next week, or I'll talk to you next week. Take care. Bye-bye.